* Network Namespace-1000 networks with Overlap Addresses
@ 2009-04-14 2:40 Krishna Vamsi-B22174
[not found] ` <B2EBF6E450E65C4F8CFEE8947E1905600298E2FF-ofAVchDyotZeePcQ0jRo1pjmvxFtTJ+o0e7PPNI6Mm0@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Krishna Vamsi-B22174 @ 2009-04-14 2:40 UTC (permalink / raw)
To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
Hi,
I am a newbie to this list. Here is my use case , we have Loadable
Kernel Module which applies security to
the packets arriving from 1000 networks with overlap addresses. There
are 3 different user space process which handles
control traffic from these 1000 networks .
Please let me know
1)How to create a Network Namespace Object ?
2)How to delete a Network Namespace Object ?
3)Can these 3 user space process see all the Network Namespace objects
created in the kernel ?
If so, how can they access these objects?
4)How to group 2-3 interfaces under a particular Network Namespace ?
Is there any patch available to achieve the above use case ?
Regards
Vamsi
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <B2EBF6E450E65C4F8CFEE8947E1905600298E2FF-ofAVchDyotZeePcQ0jRo1pjmvxFtTJ+o0e7PPNI6Mm0@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <B2EBF6E450E65C4F8CFEE8947E1905600298E2FF-ofAVchDyotZeePcQ0jRo1pjmvxFtTJ+o0e7PPNI6Mm0@public.gmane.org> @ 2009-04-14 14:37 ` Serge E. Hallyn [not found] ` <20090414143712.GC6072-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Serge E. Hallyn @ 2009-04-14 14:37 UTC (permalink / raw) To: Krishna Vamsi-B22174 Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org): > > > Hi, > > I am a newbie to this list. Here is my use case , we have Loadable > Kernel Module which applies security to > the packets arriving from 1000 networks with overlap addresses. There > are 3 different user space process which handles > control traffic from these 1000 networks . > > Please let me know > > 1)How to create a Network Namespace Object ? clone(CLONE_NEWNET) > 2)How to delete a Network Namespace Object ? exit > 3)Can these 3 user space process see all the Network Namespace objects > created in the kernel ? No, network namespaces are fully isolated. A virtual nic can only exist in one network namespace, and physical nics can only exist in the initial network namespace. > If so, how can they access these objects? > 4)How to group 2-3 interfaces under a particular Network Namespace ? I don't understand the question, but you pass a veth endpoint into a network namespace using /sbin/ip link set veth1 netns $pid_in_other_netns > Is there any patch available to achieve the above use case ? You can use liblxc (available from lxc.sf.net) or libvirt-lxc (libvirt.org). -serge ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20090414143712.GC6072-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <20090414143712.GC6072-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> @ 2009-04-22 10:57 ` Eric W. Biederman [not found] ` <m11vrlvtva.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org> 1 sibling, 0 replies; 7+ messages in thread From: Eric W. Biederman @ 2009-04-22 10:57 UTC (permalink / raw) To: Serge E. Hallyn Cc: Krishna Vamsi-B22174, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes: > Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org): >> >> >> Hi, >> >> I am a newbie to this list. Here is my use case , we have Loadable >> Kernel Module which applies security to >> the packets arriving from 1000 networks with overlap addresses. There >> are 3 different user space process which handles >> control traffic from these 1000 networks . >> >> Please let me know >> >> 1)How to create a Network Namespace Object ? > > clone(CLONE_NEWNET) > >> 2)How to delete a Network Namespace Object ? > > exit > >> 3)Can these 3 user space process see all the Network Namespace objects >> created in the kernel ? > > No, network namespaces are fully isolated. A virtual nic can only exist > in one network namespace, and physical nics can only exist in the > initial network namespace. Sockets can be passed between network namespaces if you set things up correctly. At which point you can have 3 user space processes doing all of the work. It can be a bit of a pain to have processes lying around just so you can create a socket in another network namespace but the code works today and isn't too bad. >> If so, how can they access these objects? >> 4)How to group 2-3 interfaces under a particular Network Namespace ? > > I don't understand the question, but you pass a veth endpoint into a > network namespace using > > /sbin/ip link set veth1 netns $pid_in_other_netns yep. Eric ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <m11vrlvtva.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <m11vrlvtva.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org> @ 2009-04-23 8:26 ` Babu N [not found] ` <200904230820.n3N8KgXW027602-/sMIUUHvcVm7KQohPwX1u+lZC/4ptaCc@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Babu N @ 2009-04-23 8:26 UTC (permalink / raw) To: Eric W. Biederman, Serge E. Hallyn Cc: Krishna Vamsi-B22174, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Hi, I am finding that a unshare call with CLONE_NEWNET is giving error in ubuntu 8.10 (kernet version 2.6.27). The man page here (http://manpages.courier-mta.org/htmlman2/clone.2.html) states that CLONE_NEWNET implementation is not yet complete, but probably will be mostly complete by about Linux 2.6.28. Is there way I can use CLONE_NEWNET successfully in 2.6.27 ? Thanks, Babu At 04:27 PM 4/22/2009, Eric W. Biederman wrote: >"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes: > > > Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org): > >> > >> > >> Hi, > >> > >> I am a newbie to this list. Here is my use case , we have Loadable > >> Kernel Module which applies security to > >> the packets arriving from 1000 networks with overlap addresses. There > >> are 3 different user space process which handles > >> control traffic from these 1000 networks . > >> > >> Please let me know > >> > >> 1)How to create a Network Namespace Object ? > > > > clone(CLONE_NEWNET) > > > >> 2)How to delete a Network Namespace Object ? > > > > exit > > > >> 3)Can these 3 user space process see all the Network Namespace objects > >> created in the kernel ? > > > > No, network namespaces are fully isolated. A virtual nic can only exist > > in one network namespace, and physical nics can only exist in the > > initial network namespace. > >Sockets can be passed between network namespaces if you set things >up correctly. >At which point you can have 3 user space processes doing all of the work. > >It can be a bit of a pain to have processes lying around just so you can >create a socket in another network namespace but the code works today >and isn't too bad. > > >> If so, how can they access these objects? > >> 4)How to group 2-3 interfaces under a particular Network Namespace ? > > > > I don't understand the question, but you pass a veth endpoint into a > > network namespace using > > > > /sbin/ip link set veth1 netns $pid_in_other_netns > >yep. > >Eric >_______________________________________________ >Containers mailing list >Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org >https://lists.linux-foundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <200904230820.n3N8KgXW027602-/sMIUUHvcVm7KQohPwX1u+lZC/4ptaCc@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <200904230820.n3N8KgXW027602-/sMIUUHvcVm7KQohPwX1u+lZC/4ptaCc@public.gmane.org> @ 2009-04-23 8:39 ` Daniel Lezcano [not found] ` <49F02947.3060602-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 7+ messages in thread From: Daniel Lezcano @ 2009-04-23 8:39 UTC (permalink / raw) To: Babu N Cc: Krishna Vamsi-B22174, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Babu N wrote: > Hi, > > I am finding that a unshare call with CLONE_NEWNET is giving error in > ubuntu 8.10 (kernet version 2.6.27). > The man page here > (http://manpages.courier-mta.org/htmlman2/clone.2.html) states that > CLONE_NEWNET implementation is not yet complete, but probably will be > mostly complete by about Linux 2.6.28. > Is there way I can use CLONE_NEWNET successfully in 2.6.27 ? > No, in 2.6.27 the netns code is not complete and buggy. You have to use the 2.6.29 kernel version. -- Daniel ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <49F02947.3060602-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <49F02947.3060602-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> @ 2009-04-23 8:58 ` Daniel Lezcano [not found] ` <49F02DB6.8020309-GANU6spQydw@public.gmane.org> 1 sibling, 0 replies; 7+ messages in thread From: Daniel Lezcano @ 2009-04-23 8:58 UTC (permalink / raw) To: Daniel Lezcano Cc: Krishna Vamsi-B22174, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Daniel Lezcano wrote: > Babu N wrote: > >> Hi, >> >> I am finding that a unshare call with CLONE_NEWNET is giving error in >> ubuntu 8.10 (kernet version 2.6.27). >> The man page here >> (http://manpages.courier-mta.org/htmlman2/clone.2.html) states that >> CLONE_NEWNET implementation is not yet complete, but probably will be >> mostly complete by about Linux 2.6.28. >> Is there way I can use CLONE_NEWNET successfully in 2.6.27 ? >> >> > No, in 2.6.27 the netns code is not complete and buggy. > You have to use the 2.6.29 kernel version. > > -- Daniel > By the way, you can ask Tim Gardner, Cc'ing the ubuntu kernel team if the net_ns is enabled in the 2.6.29 kernel version and, if not, if it is possible to enable it. Thanks -- Daniel ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <49F02DB6.8020309-GANU6spQydw@public.gmane.org>]
* Re: Network Namespace-1000 networks with Overlap Addresses [not found] ` <49F02DB6.8020309-GANU6spQydw@public.gmane.org> @ 2009-04-23 9:48 ` Babu N 0 siblings, 0 replies; 7+ messages in thread From: Babu N @ 2009-04-23 9:48 UTC (permalink / raw) To: Daniel Lezcano, Daniel Lezcano Cc: Krishna Vamsi-B22174, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Hi Daniel, Thanks for the response. Its not enabled by default in ubuntu 8.10. But I have recompiled as per the instructions in http://lxc.sourceforge.net/network/configuration.php and found NEWNET giving error in the re-compiled kernel. Your reply clarifies this. Thanks again. - Babu At 02:28 PM 4/23/2009, Daniel Lezcano wrote: >Daniel Lezcano wrote: >>Babu N wrote: >> >>>Hi, >>> >>>I am finding that a unshare call with CLONE_NEWNET is giving error >>>in ubuntu 8.10 (kernet version 2.6.27). >>>The man page here >>>(http://manpages.courier-mta.org/htmlman2/clone.2.html) states >>>that CLONE_NEWNET implementation is not yet complete, but probably >>>will be mostly complete by about Linux 2.6.28. >>>Is there way I can use CLONE_NEWNET successfully in 2.6.27 ? >>> >>> >>No, in 2.6.27 the netns code is not complete and buggy. >>You have to use the 2.6.29 kernel version. >> >> -- Daniel >> > >By the way, you can ask Tim Gardner, Cc'ing the ubuntu kernel team >if the net_ns is enabled in the 2.6.29 kernel version and, if not, >if it is possible to enable it. > >Thanks > -- Daniel ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-04-23 9:48 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-14 2:40 Network Namespace-1000 networks with Overlap Addresses Krishna Vamsi-B22174
[not found] ` <B2EBF6E450E65C4F8CFEE8947E1905600298E2FF-ofAVchDyotZeePcQ0jRo1pjmvxFtTJ+o0e7PPNI6Mm0@public.gmane.org>
2009-04-14 14:37 ` Serge E. Hallyn
[not found] ` <20090414143712.GC6072-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-04-22 10:57 ` Eric W. Biederman
[not found] ` <m11vrlvtva.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-23 8:26 ` Babu N
[not found] ` <200904230820.n3N8KgXW027602-/sMIUUHvcVm7KQohPwX1u+lZC/4ptaCc@public.gmane.org>
2009-04-23 8:39 ` Daniel Lezcano
[not found] ` <49F02947.3060602-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2009-04-23 8:58 ` Daniel Lezcano
[not found] ` <49F02DB6.8020309-GANU6spQydw@public.gmane.org>
2009-04-23 9:48 ` Babu N
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.